BUSINESS ASSOCIATE AGREEMENT

THIS BUSINESS ASSOCIATE AGREEMENT (“Agreement”) is made and entered into on this day of September 2013, by and between ______________________________  (“Covered Entity”), and Abeo Solutions, Inc. (“Business Associate”). Covered Entity and Business Associate are sometimes referred to herein collectively as the “parties” and individually as a “party”.

WHEREAS, Business Associate performs certain functions on behalf of and/or provides certain services that qualifies it as a “business associate” of Covered Entity pursuant to 45 C.F.R. § 160.103;

WHEREAS, in the performance of such functions and/or the provision of such services, Business Associate may require access to Protected Health Information (defined below) in possession, custody, or control of Covered Entity, or may create or receive Protected Health information on behalf of Covered Entity for the limited purposes identified in this Agreement;

WHEREAS, pursuant to the Federal Standards for Privacy and Security of Individually Identifiable Health Information, 45 C.F.R. Parts 160 and 164, as established under the Health Insurance Portability and Accountability Act (HIPAA), Covered Entity cannot disclose Protected Health Information to or authorize the creation or receipt of Protected Health Information on its behalf by Business Associate unless Covered Entity obtains from Business Associate satisfactory assurances that Business Associate will properly safeguard such information; and

WHEREAS, Business Associate is willing to provide such assurances to Covered Entity under the terms specified herein.

NOW, THEREFORE, the parties agree as follows:

I. Definitions.

(a)   Breach. “Breach” shall have the same meaning as the term “breach” in 45 C.F.R. § 164.402.

(b)   Business Associate. “Business Associate” shall mean Abeo Solutions, Inc.

(c)    Covered Entity. “Covered Entity” shall mean _____________________________.

(d)   Electronic Health Record. “Electronic Health Record” shall have the same meaning as the term “electronic health record” in American Recovery and Reinvestment Act of 2009, § 13400(5).

(e)    Electronic Protected Health Information. “Electronic Protected Health Information” shall have the same meaning as the term “electronic protected health information” in 45 C.F.R. § 160. 103.

 

(f)   Electronic Transactions Rule. “Electronic Transactions Rule” shall mean the regulations issued by HHS concerning standard transactions and code sets under 45 C.F.R. Parts 160 and 162.

(g) HHS. “HHS” shall mean the Department of Health and Human Services.

(h) Privacy Rule. “Privacy Rule” shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 C.F.R. Parts 160 and 164, subparts A and E.

(i)   Protected Health Information. “Protected Health Information” shall have the same meaning as the term “protected health information” in 45 C.F.R. § 160.103, limited to the information created or received by Business Associate from or on behalf of Covered Entity.

(j)   Required By Law. “Required by Law” shall have the same meaning as the term “required by law” in 45 C.F.R. § 164.103.

(k) Security Incident. “Security Incident” shall have the same meaning as the term “security incident” in 45 C.F.R. § 164.304.

(l)   Security Rule. “Security Rule” shall mean the Security Standards and Implementation Specifications at 45 C.F.R. Parts 160 and 164, subpart C.

(m)Subcontractor. “Subcontractor” shall have the same meaning as the term “Subcontractor” in 45 C.F.R. § 164.103.

(n)   Transaction. “Transaction” shall have the meaning given the term “transaction” in 45 C.F.R. § 160.103.

 

(o)   Unsecured Protected Health Information. “Unsecured protected health information” shall have the meaning given the term “unsecured protected health in C.F.R. §164.402

II. Safeguarding Privacy and Security of Protected Health Information

(a) Permitted Uses and Disclosures. Business Associate is permitted to use and disclose Protected Health Information only as set forth below:

(i)     Functions and Activities on Covered Entity’s Behalf. To perform functions on behalf of Covered Entity as such functions are agreed upon by Covered Entity and Business Associate pursuant to an underlying agreement between the parties (the “Services Agreement”).

(ii)   Business Associate’s Operations. For Business Associate’s proper management and administration or to carry out Business Associate’s legal responsibilities, provided that, with respect to disclosure of the Protected Health Information, either:

(A) The disclosure is Required by Law; or

 

(B) Business Associate obtains reasonable assurance from any other person or entity to which Business Associate will disclose Covered Entity’s Protected Health Information that the person or entity will:

(1)   Hold the Protected Health Information in confidence and use or further disclose the Protected Health Information only for the purpose for which Business Associate disclosed the Protected Health Information to the person or entity or as Required by Law; and

(2)   Promptly notify Business Associate of any instance of which the person or entity becomes aware in which the confidentiality of the Protected Health Information was breached.

(iii)Minimum Necessary. Business Associate will, in its performance of the functions, activities, services, and operations specified above, make reasonable efforts to use, to disclose, and to request only the minimum amount of the Protected Health Information reasonably necessary to accomplish the intended purpose of the use, disclosure or request, except that Business Associate will not be obligated to comply with this minimum-necessary limitation of 45 C.F.R. § 164.502(b) if neither Business Associate nor Covered Entity is required to limit its use, disclosure or request to the minimum necessary. Business Associate and Covered Entity acknowledge that the phrase “minimum necessary” shall be interpreted in accordance with 45 C.F.R. § 164.502(b).

(iv)Mitigation. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of the Protected Health Information by Business Associate in violation of the requirements of this Agreement and to assist Covered Entity’s efforts to mitigate any such harmful effect.

(b)   Required Uses and Disclosures. Business Associate shall disclose Protected Health Information (i) when required by the Secretary of DHHS under 45 C.F.R. Part 160, Subpart C to investigate or determine Business Associate’s compliance with Subchapter C of 45 C.F.R., Subtitle A, and (ii) to Covered Entity, the individual or the individual’s designee, as necessary to satisfy Covered Entity’s obligations under 45 C.F.R. § 164.524(c)(2)(ii) and (3)(ii) with respect to the individual’s request for an electronic copy of his or her Protected Health Information.

(c)    Prohibition on Unauthorized Use or Disclosure. Business Associate will neither use nor disclose the Protected Health Information, except as permitted or required by this Agreement or in writing by Covered Entity or as Required by Law. This Agreement does not authorize Business Associate to use or disclose the Protected Health Information in a manner that will violate the Privacy Rule.

(d) Information Safeguards.

(i) Privacy of Protected Health Information. Business Associate will comply with the Privacy Rule to the extent applicable to Business Associate. The Business Associate’s Privacy Rule safeguards must reasonably protect the Protected Health Information from any intentional or unintentional use, access or disclosure in violation of the Privacy Rule

and limit incidental use, access or disclosure made pursuant to a use, access or disclosure otherwise permitted by this Agreement.

(ii) Security of Electronic Protected Health Information. Business Associate will comply with the Security Rule and will use appropriate administrative, technical, and physical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of Electronic Protected Health Information that Business Associate creates, receives, maintains, or transmits on Covered Entity’s behalf as required by the Security Rule. Business Associate shall review and modify the security measures implemented in accordance with the above as needed to continue provision of reasonable and appropriate protection of Electronic Protected Health Information. Business Associate shall update documentation of such security measures in accordance with 45 C.F.R. § 164.31 6(b)(2)(iii) and shall designate a Security Officer and undertake appropriate training of its personnel in accordance with the Security Rule.

(e)    Subcontractors and Agents. Business Associate will ensure that any of its Subcontractors and agents, to whom it provides Protected Health Information and/or Electronic Protected Health Information received from, or created or received by the Business Associate on behalf of, the Covered Entity agree to the same restrictions and conditions that apply to the Business Associate with respect to such information. Business Associate may permit a business associate that is a Subcontractor to create, receive, maintain, or transmit Electronic Protected Health Information on its behalf only if Business Associate obtains satisfactory assurances, in accordance with 45 C.F.R. § 164.3 14(a), that the Subcontractor will appropriately safeguard such information. Business Associate agrees that any of Business Associate’s Subcontractors that create, receive, maintain or transmit Protected Health Information or Electronic Protected Health Information on behalf of Business Associate shall comply with the applicable requirements of 45 C.F.R. Part 164, Subpart C by entering into a contract or other arrangement with such Subcontractor that complies with 45 C.F.R. § 164.3 14(a)(2)(i).

(f)    Prohibition on Sale of Records. Effective September 23, 2013, Business Associate shall not engage in any sale of Protected Health Information as defined in 45 C.F.R. § 164.501.

  1. III.    Compliance with Electronic Transactions Rule. If Business Associate conducts in whole or part electronic Transactions on behalf of Covered Entity for which HHS has established standards, Business Associate shall comply, and will require any Subcontractor it involves with the conduct of such Transactions to comply, with each applicable requirement of the Electronic Transactions Rule. Business Associate shall also comply with the National Provider Identifier requirements, if and to the extent applicable.
  2. IV.    Individual Rights.

(a) Access. Business Associate will make available Protected Health Information in accordance with 45 C.F.R. § 164.524, upon request from Covered Entity, so that Covered Entity may meet its access obligations under 45 C.F.R. § 164.524. Effective September 23, 2013, if the Protected Health Information is maintained electronically in a designated record set in the Business Associate’s custody or control, then the Covered Entity shall have a right to obtain from Business Associate a copy of such information in an electronic format.

 

(b)   Amendment. Business Associate will, upon receipt of written notice from Covered Entity, promptly amend or permit Covered Entity access to amend any portion of an individual’s Protected Health Information that is in a designated record set in the custody or control of the Business Associate, so that Covered Entity may meet its amendment obligations under 45 C.F.R. § 164.526.

(c)    Disclosure Accounting. Business Associate will make available the information required to provide an accounting of disclosures in accordance with 45 C.F.R. § 164.528, upon request from Covered Entity, to allow Covered Entity to meet its disclosure accounting obligations under 45 C.F.R. § 164.528. Business Associate will maintain the Disclosure Information for six (6) years following the date of the accountable disclosure to which the Disclosure Information relates.

(d)   Restriction Agreements and Confidential Communications. Business Associate will comply with any agreement that Covered Entity makes that either (i) restricts use, access or disclosure of Covered Entity’s Protected Health Information pursuant to 45 C.F.R. § 164.522(a), or (ii) requires confidential communication about Covered Entity’s Protected Health Information pursuant to 45 C.F.R. § 164.522(b), provided that Covered Entity notifies Business Associate in writing of the restriction or confidential communication obligations that Business Associate must follow. Covered Entity will promptly notify Business Associate in writing of the termination of any such restriction agreement or confidential communication requirement and, with respect to termination of any such restriction agreement, instruct Business Associate whether any of Covered Entity’s Protected Health Information will remain subject to the terms of the restriction agreement.

V. Reporting.

(a) Breach or Unauthorized Use, Access or Disclosure. Business Associate will report to Covered Entity any potential Breach of Unsecured Protected Health Information or any other non-permitted use, access or disclosure of Protected Health Information as soon as reasonably practicable and not more than five (5) calendar days after discovery of such potential Breach or such other non-permitted use, access or disclosure of such Protected Health Information. Business Associate will treat a potential Breach as being discovered in accordance with 45 C.F.R. § 164.410. Business Associate will make the report to Covered Entity’s Privacy Officer. If a delay is requested by a law-enforcement official in accordance with 45 C.F.R. § 164.412, Business Associate may delay notifying Covered Entity for the applicable time period. Business Associate’s report will include at least the following, provided that absence of any information will not be cause for Business Associate to delay the report:

(i)     Identify the nature of the Breach or other non-permitted or violating use, access or disclosure by Business Associate or its Subcontractors;

(ii)   Identify the Protected Health Information used, accessed or disclosed by Business Associate or its Subcontractors;

 

(iii)Identify which individual made the Breach or other non-permitted or violating use or access or received the non-permitted or violating disclosure;

(iv)Identify what corrective action Business Associate or its Subcontractors took or will take to prevent further Breaches or other non-permitted or violating uses, accesses or disclosures;

(v) Identify what Business Associate or its Subcontractors did or will do to mitigate any harmful effect of the Breach or other non-permitted or violating use, access or disclosure; and

(vi) Provide such other information, including a written report and risk assessment of Business Associate or its Subcontractors under 45 C.F.R. § 164.402, as Covered Entity may reasonably request.

(b)        Security Incidents. Business Associate will provide notice to Covered Entity of any Security Incident of which Business Associate becomes aware. Business Associate will make the report in the form noted in Section V.(a) above and will cooperate with Covered Entity to promptly address and correct the Security Incident.

(c)          Notice. For purposes of notifying Covered Entity of privacy Breaches, Security Incidents or an unauthorized use, access or disclosure of Protected Health Information, notices shall be deemed given when properly addressed to a party’s privacy contact upon the date of receipt if hand-delivered or emailed, or three (3) business days after deposit in the U.S. mail if mailed by registered or certified mail, postage prepaid, or one (1) business day after deposit with a national overnight courier for next business day delivery, or upon the date of electronic confirmation of receipt of a facsimile transmission.

(d)        Address for Notice. Notice of a privacy Breach, Security Incident or unauthorized use, access or disclosure shall be communicated to Covered Entity as follows:

Contact Office:

Telephone:

Fax:

Email:

VI. Term and Termination.

(a) Term. The term of this Agreement shall be effective as of September 22, 2013, and shall terminate when the underlying Services Agreement between the parties has terminated, subject to obligations of the parties which extend beyond or survive such termination, including those obligations related to return or destruction of Protected Health Information upon termination of this Agreement.

 

(b)   Right to Terminate for Cause. Covered Entity or Business Associate may terminate this Agreement if it determines, in its sole discretion, that the other party has breached any material term of this Agreement, and upon written notice to the breaching party of the breach, the breaching party fails to cure the breach within ten (10) calendar days after receipt of the notice. Any such termination will be effective immediately or at such other date specified in a notice of termination.

(c)    Right to Termination Upon Change in Regulations. Either party may terminate this Agreement if amendment or addition to 45 C.F.R. Parts 160-64 affects the obligations under this Agreement of the party exercising the right of termination. The party so affected may terminate this Agreement by giving the other party written notice of such termination at least 90 days before the compliance date of such amendment or addition to 45 C.F.R. Parts 160- 64.

(d)   Return or Destruction of Covered Entity’s Protected Health Information as Feasible. Upon termination of this Agreement, Business Associate will, if feasible, return or destroy all Protected Health Information received from, or created or received by the Business Associate or its Subcontractors on behalf of, the Covered Entity that the Business Associate or its Subcontractors still maintains in any form and retain no copies of such information or, if such return or destruction is not feasible, extend the protections of this Agreement to the information and limit further uses, accesses and disclosures to those purposes that make the return or destruction of the information infeasible. Business Associate will complete these obligations, and shall cause its Subcontractors to comply with these obligations, as promptly as possible, but in no event later than thirty (30) calendar days following the effective date of termination of this Agreement.

(e)    Continuing Privacy and Security Obligation. Business Associate’s obligation to protect, and to cause its Subcontractors to protect, the privacy and safeguard the security of Covered Entity’s Protected Health Information as specified in this Agreement will be continuous and will survive termination or other conclusion of this Agreement.

VII. Indemnification.

(a) Indemnification. Business Associate agrees to indemnify, defend, and hold harmless Covered Entity and its employees, directors, officers, subcontractors, agents or other members of its workforce (each an “Indemnified Party”) against all actual and direct losses or damages suffered by the Indemnified Party and all liability to third parties arising out of or in connection with any alleged breach of this Agreement by Business Associate or from any alleged negligence or wrongful acts or omissions of Business Associate, including failure of Business Associate to perform its obligations under this Agreement, under the Privacy Regulations or under the Security Rule. Accordingly, on demand, Business Associate shall reimburse any Indemnified Party for any and all actual and direct losses, liabilities, damages, lost profits, fines, penalties, costs or expenses (including reasonable attorney fees) which may be imposed upon any Indemnified Party by reason of any suit, claim, action, proceeding or demand by any third party resulting from Business Associate’s breach of this Agreement.

 

VII. General Provisions.

(a)   Definitions. All terms that are used but not otherwise defined in this Agreement shall have the meaning specified under HIPAA, including its statute, regulations and other official government guidance.

(b)   Inspection of Internal Practices, Books, and Records. Business Associate will make its internal practices, books, policies, procedures and records relating to its use and disclosure of Covered Entity’s Protected Health Information available to HHS to determine compliance with the HIPAA Rules.

(c)    Amendment to Agreement. This Agreement may only be amended or modified by a written instrument signed by the parties. In the event of a change of applicable law, the parties agree to negotiate in good faith to adopt such amendments to this Agreement as are necessary to comply with such change in law.

(d)   No Third-Party Beneficiaries. Nothing in this Agreement shall be construed as creating any rights or benefits to any third parties.

(e)    Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity and Business Associate to comply with the applicable requirements under HIPAA.

(f)    Supersession. This Agreement shall supersede and replace in its entirety any Business Associate Agreement previously in place between the parties as of the date of this Agreement.

 

IN WITNESS WHEREOF, each of the undersigned has caused this Agreement to be duly executed in its name and on its behalf effective as of the date first above written.

“COVERED ENTITY”

______________________

By: _____________________

“BUSINESS ASSOCIATE”

Abeo Solutions, Inc.

 

By: ________________________

 

Click here to download a signed copy in pdf format.

Abeo Solutions, Inc. HIPAA Notice of Privacy Practices

  Effective Date: September 22, 2013

 

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION.  PLEASE REVIEW IT CAREFULLY.

 

If you have any questions about this notice, please contact Sunil Chaudhari at (512) 335-1976.

OUR OBLIGATIONS:

We are required by law to:

  •   Maintain the privacy of protected health information
  •  Notify you of any breaches involving your Protected Health Information
  • Give you this notice of our legal duties and privacy practices regarding health information about you

HOW WE MAY USE AND DISCLOSE HEALTH INFORMATION:

Except for the purposes described below, we will use and disclose Protected Health Information only with your written permission.  You may revoke such permission at any time by writing to our practice Privacy Officer.   We will only use and disclose your Protected Health Information without your authorization when necessary for:

 

  • Treatment. We may use and disclose Protected Health Information for your treatment and to provide you with treatment-related health care services.
  • Payment. We may use and disclose Protected Health Information so that we or others may bill and receive payment from you, an insurance company or a third party for the treatment and services you received.
  • Health Care Operations. We may use and disclose Protected Health Information for health care operations purposes.  We also may share information with other entities that have a relationship with you (for example, your health plan) for their health care operation activities.
  • As Required by Law.  We will disclose Protected Health Information when required to do so by international, federal, state or local law.
  • To Avert a Serious Threat to Health or Safety. We may use and disclose Protected Health Information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person.
  • Business Associates.  We may disclose Protected Health Information to our business associates that perform functions on our behalf or provide us with services if the information is necessary for such functions or services.  We will only disclose your Protected Health Information to Business Associates who have agreed in writing to maintain the privacy of Protected Health Information as required by law.
  • Public Health Risks.  We may disclose Protected Health Information for public health activities.  These activities generally include disclosures to prevent or control disease, injury or disability; report births and deaths; report child abuse or neglect; report reactions to medications or problems with products; notify people of recalls of products they may be using; a person who may have been exposed to a disease or may be at risk for contracting or spreading a disease or condition; and the appropriate government authority if we believe a patient has been the victim of abuse, neglect or domestic violence.  We will only make this disclosure if you agree or when required or authorized by law.
  • Health Oversight Activities.  We may disclose Protected Health Information to a health oversight agency for activities authorized by law.
  • Data Breach Notification Purposes.  We may use or disclose your Protected Health Information to provide legally required notices of unauthorized access to or disclosure of your health information.
  • Lawsuits and Disputes. If you are involved in a lawsuit or a dispute, we may disclose Health Information in response to a court or administrative order.  We also may disclose Health Information in response to a subpoena, discovery request, or other lawful process by someone else involved in the dispute, but only if efforts have been made to tell you about the request or to obtain an order protecting the information requested.
  • Law Enforcement. We may release Protected Health Information if asked by a law enforcement official if the information is: (1) in response to a court order, subpoena, warrant, summons or similar process; (2) limited information to identify or locate a suspect, fugitive, material witness, or missing person; (3) about the victim of a crime even if, under certain very limited circumstances, we are unable to obtain the person’s agreement; (4) about a death we believe may be the result of criminal conduct; (5) about

criminal conduct on our premises; and (6) in an emergency to report a crime, the location of the crime or victims, or the identity, description or location of the person who committed the crime.

USES AND DISCLOSURES THAT REQUIRE US TO GIVE YOU AN OPPORTUNITY TO OBJECT

Individuals Involved in Your Care or Payment for Your Care. We may disclose your Protected Health Information to a member of your family, a relative, a close friend or any other person you identify, that directly relates to that person’s involvement in your health care, if the information

is relevant to their involvement and you have agreed or had an opportunity to object.

WRITTEN AUTHORIZATION IS REQUIRED FOR OTHER USES AND ISCLOSURES

The following uses and disclosures of your Protected Health Information will be made only with your written authorization:

1.  Uses and disclosures of Protected Health Information for marketing purposes; and

2.  Disclosures that constitute a sale of your Protected Health Information

Other uses and disclosures of Protected Health Information not covered by this Notice or the laws that apply to us will be made only with your written authorization.  If you do give us an authorization, you may revoke it at any time by submitting a written revocation to our Privacy Officer and we will no longer disclose Protected Health Information under the authorization. But disclosure that we made in reliance on your authorization before you revoked it will not be affected by the revocation.

YOUR RIGHTS:

You have the following rights regarding Health Information we have about you:

Right to Inspect and Copy.  You have a right to inspect and copy Health Information that may be used to make decisions about your care or payment for your care.

Right to an Electronic Copy of Electronic Medical Records. If your Protected Health Information is maintained in an electronic format (known as an electronic medical record or an electronic health record), you have the right to request that an electronic copy of your record be given to you or transmitted to another individual or entity.

Right to Get Notice of a Breach.  You have the right to be notified upon a breach of any of your unsecured Protected Health Information.

Right to Amend.  If you feel that Protected Health Information we have is incorrect or incomplete, you may ask us to amend the information.  You have the right to request an amendment for as long as the information is kept by or for our office.

Right to an Accounting of Disclosures.  You have the right to request a list of certain

disclosures we made of Protected Health Information for purposes other than treatment, payment and health care operations or for which you provided written authorization.

Right to Request Restrictions.  You have the right to request a restriction or limitation on the Protected Health Information we use or disclose for treatment, payment, or health care operations.  You also have the right to request a limit on the Protected Health Information we disclose to someone involved in your care or the payment for your care, like a family member or friend.  We are not required to agree to your request.

Right to Request Confidential Communications. You have the right to request that we communicate with you about medical matters in a certain way or at a certain location.  To request confidential communications, you must make your request, in writing, to Sunil Chaudhari.  Your request must specify how or where you wish to be contacted.  We will accommodate reasonable requests.

Right to a Paper Copy of This Notice.  You have the right to a paper copy of this notice.  You may ask us to give you a copy of this notice at any time.  Even if you have agreed to receive this notice electronically, you are still entitled to a paper copy of this notice.  You may obtain a copy of this notice at our web site, www.crystalpm.com.

CHANGES TO THIS NOTICE:

We reserve the right to change this notice and make the new notice apply to Protected Health Information we already have as well as any information we receive in the future.  We will post a copy of our current notice at our office.  The notice will contain the effective date on the first page, in the top right-hand corner.

COMPLAINTS:

If you believe your privacy rights have been violated, you may file a complaint with our office or with the Secretary of the Department of Health and Human Services.  To file a complaint with our office, contact Sunil Chaudhari.  All complaints must be made in writing.  You will not be penalized for filing a complaint.

Click here to download a pdf copy.